[dns-operations] Recently closed open resolver and reflection attacks
casey at deccio.net
Wed Mar 6 18:55:57 UTC 2013
On Wed, Mar 6, 2013 at 10:12 AM, Vernon Schryver <vjs at rhyolite.com> wrote:
> > From: Casey Deccio <casey at deccio.net>
> > Seems like a REFUSED response fits into its own RRL category. Is there
> > reason why name servers wouldn't simply drop them if they exceed the
> > configured RRL threshold--or even perhaps a lower threshold?
> The current version of the BIND9 RRL implementation has the
> errors-per-second parameter.
Thanks - I had forgotten about this parameter.
> For documentation, follow the link labeled
> "Draft text for BIND9 Administrators Reference Manual (ARM) describing"
> on http://www.redbarn.org/dns/ratelimits
> The paragraph in that text describing "slip" concludes with:
> A value of 0 does not "slip" or sends no rate limiting truncated
> responses. Some error responses includinge REFUSED and SERVFAIL
> cannot be replaced with truncated responses and are instead
> leaked at the slip rate.
Is there any benefit to a non-zero slip value for these responses?
Certainly they're not amplifying, but I understand the purpose of non-zero
slip is to give legitimate clients some chance of response amid the large
quantity of queries from spoofed clients. REFUSED messages seem more like
a courtesy in the interest of timely failure than anything else. It seems
unlikely that legitimate clients would be much affected by lack of response
for REFUSED queries in the interest of eliminating noise.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations